Measurably reducing risk through collaboration, consensus...

51
Measurably reducing risk through collaboration, consensus & practical security management” ©2013 CIS Security Benchmarks 1

Transcript of Measurably reducing risk through collaboration, consensus...

Page 1: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

“Measurably reducing risk through collaboration, consensus & practical security management”

©2013 CIS Security Benchmarks 1

Page 2: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Background

George Mason University’s Rights and Benefits as a CIS Security Benchmarks Member

Consensus Benchmarks

their value for system and network security

Assessment Tools – Primarily CIS–CAT

use cases & features specs & system requirements

Security Software Certification

Consensus Security Metrics

Member Support & Contact Information

Q & A

©2013 CIS Security Benchmarks 2

Page 3: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 3

Page 4: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Formed in October 2000

A not-for-profit consortium of users, security consultants, and vendors of security software (Members)

Convenes and facilitates teams developing consensus CIS Benchmarks for system & network security configuration and definitions for information security metrics

Developed, maintains and distributes the Configuration Assessment Tool (CIS-CAT) to its members

©2013 CIS Security Benchmarks 4

Page 5: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 5

Page 6: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

The right to distribute and use the CIS resources throughout George Mason University

Access to Member Only Resources via the CIS Community Site including but not limited to:

Configuration Assessment Tool (CIS-CAT) Bundle

CIS-CAT Application

XML/XCCDF Benchmark versions

User’s Guide and XML/XCCDF Policy Customization Guide

Remediation Kits (IBM AIX 5.3-6.1, RHEL Puppet Modules, MS Windows 7 & 8, MS Windows Server 2008 & 2012, MS Internet Explorer 9 &10, MS Outlook 2010)

Tutorials/Webcasts

Participation on the Member only discussion areas

Register for access http://benchmarks.cisecurity.org/register

©2013 CIS Security Benchmarks 6

Page 7: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Member Updates - timely notification of new releases & updates

CIS Member Logo – use of the CIS Member Logo to show your membership support. Learn more here: http://benchmarks.cisecurity.org/trademarks

Support – As Members, George Mason University employees receive free Benchmark/CIS-CAT implementation support. Submit requests at [email protected]

To view complete list of benefits, please visit: http://benchmarks.cisecurity.org/membership

©2013 CIS Security Benchmarks 7

Page 8: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Use of CIS resources in the classroom environment for educational purposes.

Redistribution of CIS resources to enrolled students for use on students’ laptops and desktops. A university may not redistribute CIS resources on its public-facing web site, but may redistribute CIS resources to enrolled students by means which require students to receive and accept the CIS Terms of Use as defined at http://benchmarks.cisecurity.org/downloads.

Page 9: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 9

Page 10: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

What’s in your environment?

Databases, Mail, WWW

Server OSs

Network Gear

Endpoint Software

Which Benchmarks have you looked at? Any feedback?

Which Benchmarks do you plan to leverage next?

©2013 CIS Security Benchmarks 10

Page 11: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Consensus Configuration Recommendations for Security IT Resources

Examples:

Ensure Firewall is Enabled

Disallow SSH Protocol 1

Ensure echo Service is Disabled

Specifically called out by FISMA and PCI for securing systems.

©2013 CIS Security Benchmarks 11

Page 12: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

What it applies to…

©2013 CIS Security Benchmarks 12

Page 13: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

What it applies to …

Who helped make it…

©2013 CIS Security Benchmarks 13

Page 14: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

What it applies to…

Who helped make it…

How to interpret…

©2013 CIS Security Benchmarks 14

Page 15: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

What it applies to…

Who helped make it…

How to interpret…

What to do…

Why to do it…

How to do it…

How do you know you did it…

©2013 CIS Security Benchmarks 15

Page 16: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Authentication Servers FreeRADIUS 1.1.3 MIT Kerberos 1.0

Collaboration Servers

Microsoft SharePoint Server 2007

Database Platforms

IBM DB2 Server 8/9/9.5 Microsoft SQL Server

2000/2005/2008 R2 MySQL Database Server

4.1/5.0/5.1 Oracle Database Server

8i/9i/10g/11g R2 Sybase Database Server 15

Directory Servers

Novell eDirectory 8.7 OpenLDAP Server

2.3.39/2.4.6

DNS Servers

BIND DNS Server 9.0-9.5

Mail Servers Microsoft Exchange 2003/2007

Mobile Platforms

Apple Mobile Platform iOS 5.0.x Google Mobile Platform

Network Devices

Checkpoint Firewall Cisco Firewall Devices Cisco Routers/Switches IOS 12.x Cisco Wireless LAN Controller 7 Juniper Routers/Switches JunOS

8/9/10 Agnostic Print Devices

Productivity Software

Microsoft Office 2007 Microsoft Outlook 2010

Operating Systems - Desktop

Apple Desktop OSX 10.4/10.5 Microsoft Windows Desktop

XP/NT/7/8

Operating Systems - Servers Debian Linux Server FreeBSD Server 4.1.0 HP-UX Server 11iv2/3 Update 4 IBM AIX Server

4.3.2/4.3.3/5L/5.1/5.3/6.1/7.1 Microsoft Windows Server 2000

Pro/2003 DC & MS/2008 DC & MS/ 2012 DC & MS

Novel Netware Oracle Solaris Server 2.5.1-11/ 10

updates 3-8 Red Hat Linux Server 4/5/6 Slackware Linux Server 10.2 SUSE Linux Enterprise Server 9/10

Virtualization Platforms VMware Server 3.5/4.1 Xen Server 3.2 Agnostic VM Server

Web Browsers Apple Safari Browser 4.x Microsoft Internet Explorer 9/10 Mozilla Firefox Browser 3.6 Opera Browser 10

Web Servers Apache HTTP Server 2.2/2.4 Apache Tomcat Server 5.5/6.0 Microsoft IIS Server 5/6/7/7.5

©2013 CIS Security Benchmarks 16

Page 17: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 17

Database Platforms

Microsoft SQL Server 2012

Network Devices

Agnostic Wireless Devices

Mail Servers

Microsoft Exchange 2010

Productivity Software

Microsoft Outlook 2010 - RELEASED

Virtualization Platforms

VMware Server vSphere 5

Web Browsers

Microsoft Internet Explorer 10 - RELEASED

Operating Systems - Desktop

Apple Desktop OSX 10.7 & 10.8

Microsoft Windows Desktop 8 – RELEASED

Operating Systems - Servers

Linux Agnostic

IBM AIX Server 7.1- RELEASED

Microsoft Windows Server 2012 - RELEASED

SUSE Linux Enterprise Server 11

Page 18: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Decide what to make

Ask CIS members

Survey community

Build a consensus team

CIS Members

Subject Matter Experts

Public security community

Technology vendors

.com, .edu, .gov, .org, .tld

©2013 CIS Security Benchmarks 18

Page 19: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Define scope

Contractors and volunteers write recommendations

Recommendations are reviewed by consensus team

Tickets are created for issues

while(tickets.Count > 0)

{

discussTickets();

}

©2013 CIS Security Benchmarks 19

Page 20: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

After a Benchmark release, a new milestone is created 3+ months out

Benchmark adopters filter feedback to CIS via:

[email protected] (members)

[email protected] (non member)

Web site bug report form

Open ticket in consensus platform

Tickets are assigned to a release milestone

Technology point releases are accounted for

Maintainer teams work/close tickets with consensus group

Where no maintainer team exists, staff and/or contractors work tickets.

©2013 CIS Security Benchmarks 20

Page 21: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Technology Vendors

Many don’t have their own security guides

They want to ensure guidance does not introduce unsupported state

Individuals

Earn CPE credits for ISC2/ISACA certs

Learn from other SMEs/skill building

Members

They’ve bought in to the model

It’s in their best interest

RFP bid fodder for security consultancies

Attribution

Some just want to help

©2013 CIS Security Benchmarks 21

Page 22: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Join a Consensus Team

Log in to the member community site: https://community.cisecurity.org

Click Profile

Click Manage Projects

Add yourself to the project(s)

Begin Participation

Review Drafts

Answer Questions

Test Configurations

Report Bugs/Suggestions

©2013 CIS Security Benchmarks 22

Page 23: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

All downloads can be found under the Downloads Tab

©2013 CIS Security Benchmarks 23

Page 24: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

When:

Roadmap is Updated Automatically from Project Milestones

https://benchmarks.cisecurity.org/projects

How:

Subscribe to our Download RSS Feed

http://benchmarks.cisecurity.org/rss

Member Updates

Via email

Update your ‘receive newsletter’ setting on the community site

Profile -> Update Profile

©2013 CIS Security Benchmarks 24

Page 25: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

All

Portable Document Format (PDF)

Select

Microsoft Word

Microsoft Excel

eXtensible Configuration Checklist Description Format (XCCDF)

OVAL and ECL

Automated Remediation Formats

Group Policy Objects (GPO)

MS Windows 7 & 8 and MS Windows Server 2008 & 2012 and MS Internet Explorer 9 & 10, MS Outlook 2010

AIXPert XML

IBM AIX 5.3 – AIX 6.1

RedHat Linux Enterprise

RHEL 6 Puppet Modules

Bastille Configuration

HP-UX 11i

©2013 CIS Security Benchmarks 25

Page 26: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 26

Page 27: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 27

Page 28: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Host based, configuration assessment tool

Assesses a target system against recommendations made in CIS benchmarks

Requires Java Runtime Environment (JRE) v1.5 or later

Has graphical (GUI) and command line (CLI) user interfaces

Reads XML policy that can be customized

NIST FDCC Validated Scanner

Available to CIS members only

©2013 CIS Security Benchmarks 28

Page 29: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Server admins/operations teams use CIS-CAT to

perform self assessments.

Build teams use CIS-CAT to validate a system before

production rollout.

Security teams use CIS-CAT as part of their assessment

process.

Auditors use CIS-CAT as part of compliance and

governance processes.

Run CIS-CAT via Group Policy to assess Microsoft

Windows environment on reoccurring basis.

©2013 CIS Security Benchmarks 29

Page 30: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Authentication Servers MIT Kerberos 1.10 Benchmark v1.0.0

Database Platforms

Oracle Database 11g Benchmark v1.0.1 Oracle Database 9i-10g Benchmark v2.0.1

Virtualization Platforms VMware ESX 3.5 Benchmark v1.2.0 VMware ESX 4.1 Benchmark v1.0.0

Web Browsers

Mozilla Firefox Benchmark v1.0.0 Microsoft Internet Explorer 10 Benchmark

v1.0.0

Web Servers

Apache Tomcat Benchmark v1.0.0

Operating Systems - Desktop Apple OSX 10.5 Benchmark v1.1.0 Apple OSX 10.6 Benchmark v1.0.0 Microsoft Windows 7 Benchmark v1.2.0 (domain

joined/oval) Microsoft XP Benchmark v2.0.1

Operating Systems - Servers Debian Linux Benchmark v1.0.0 FreeBSD Server 4.1.0 HP-UX 11i Benchmark v1.4.2 IBM AIX 4.3-5.1 Benchmark v1.0.1 IBM AIX 5.3-6.1 Benchmark v1.1.0 IBM AIX 7.1 Benchmark v1.0.0 Microsoft Windows 2003 MS DC Benchmark v2.0.0 Microsoft Windows 2008 Server Benchmark v1.2.0

(domain joined/oval) Oracle Solaris Server 2.5.1-11/ 10 updates 3-8 Red Hat Enterprise Linux Server 4 Benchmark v1.0.5 Red Hat Enterprise Linux Server 5 Benchmark v2.0.0 Red Hat Enterprise Linux Server 6 Benchmark v1.2.0 Slackware Linux10.2 Benchmark v1.1.0 Solaris 10 Benchmark v5.1.0 Solaris 11 Benchmark v1.0.0 SUSE Linux Enterprise Server 10 Benchmark v2.0.0 SUSE Linux Enterprise Server 9 Benchmark v1.0.0

©2013 CIS Security Benchmarks 30

Page 31: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 31

Databases

Microsoft SQL 2008

Network Devices

Cisco coverage

Operating Systems - Desktop

Apple Desktop OSX 10.8

Microsoft Windows Desktop 8

Operating Systems - Servers

Microsoft Windows Server 2012

Oracle Database 11gR2

SUSE Linux Enterprise Server 11

Productivity Software

Microsoft Outlook 2010

Virtualization Platforms

VMware Server vSphere 5

Web Browsers

Microsoft Internet Explorer 10 - RELEASED

Page 32: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

CIS-CAT Users Guide

Executing CIS-CAT via GUI and CLI

Understanding CIS-CAT Reports & Customization of

Reports

Using the CIS-CAT Dashboard

CIS-CAT XML Adaptation Guide

How to add/remove/modify checks

©2013 CIS Security Benchmarks 32

Page 33: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 33

Page 34: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

1. Download

2. Unzip*

3. Double Click

4. Select a Benchmark

*P.S. – Unzip CIS-CAT on a network drive and invoke it via Group Policy for +10 scalability points.

©2013 CIS Security Benchmarks 34

Page 35: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks

5. Select a Profile

35

Page 36: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

(WEEEEEE!!!)

6. Scan

©2013 CIS Security Benchmarks 36

Page 37: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

7. “Find The Fail ”™®©

©2013 CIS Security Benchmarks 37

Page 38: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

8. “Fix The Fail ”™®©

©2013 CIS Security Benchmarks 38

Page 39: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

9. Monitor Progress

©2013 CIS Security Benchmarks 39

Page 40: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

10. Measure Configuration Change Management using the CIS Security Metrics

©2013 CIS Security Benchmarks 40

Page 41: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 41

Page 42: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Router Audit Tool (RAT Tool)

PERL based tool

Assesses Cisco ASA, FWSM, PIX and IOS devices against CIS Cisco benchmarks.

Apache Benchmark Tool

PERL based tool

Assesses Apache HTTP Server instances against the CIS Apache HTTP Server benchmark.

©2013 CIS Security Benchmarks 42

Page 43: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 43

Page 44: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 44

Page 45: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks

CIS Certified Security Software Tested to accurately measure and report system status

against recommendation in CIS Benchmarks http://benchmarks.cisecurity.org/certified

Why use Certified Security Software?

Independently validated to accurately audit systems CIS Benchmark content integrated into software Enterprise scale security auditing Leverage deployed management tools

45

Page 46: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 46

Page 47: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Organizations struggle to make cost-effective security investment decisions;

Information Security Professionals lack widely accepted and unambiguous metrics for decision support.

To address this need, established a consensus team of over 120 industry experts from leading commercial, government and academic organizations of varying sizes.

The result was a set of unambiguous, user originated, consensus-based standard metrics and data definitions that can be used across organizations to define, collect and analyze data on security process benefits and outcomes.

©2013 CIS Security Benchmarks 47

Page 48: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

Set of 28 metrics definitions designed to help security

professionals in analyzing security process performance and

outcome data.

Metrics cover 7 important business functions: Incident Management Vulnerability Management Patch Management Application Security Configuration Management Change Management Financial Metrics

CIS Security Metrics Quick Start Guide v1.0.0

Download: http://community.cisecurity.org

(Downloads Tab ->Security Metrics Category)

©2013 CIS Security Benchmarks 48

Page 49: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 49

Page 50: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

As a benefit of membership, George Mason University employees are eligible to receive support service, at no charge, from staff:

Email: [email protected]

Telephone, after initial email contact

Discussion areas on Community Member site

Primary Membership Contact – Michelle Vogeler, Member Representative, [email protected]

©2013 CIS Security Benchmarks 50

Page 51: Measurably reducing risk through collaboration, consensus ...itsecurity.gmu.edu/Resources/upload/George-Mason-CIS-New... · “Measurably reducing risk through collaboration, consensus

©2013 CIS Security Benchmarks 51